Security Teams Need to Be Prepared With an Incident Response Plan

Investors are more worried than ever about digital threats. Respondents to PricewaterhouseCoopers’ 2018 “Global Investor Survey” named cyberthreats the top threat to businesses — a leap from fifth place the previous year.

Those fears are justified. Research published last December by SafeBreach, which studied 3,400 security breach methods, reported a malware infiltration success rate above 60 percent. Once inside the systems, hackers had an even easier time moving around than they did trying to get in. In fact, 70 percent of them were able to navigate through systems laterally.

Security leaders are right to be concerned, but identifying breaches is easier said than done. Just because something is abnormal does not mean the system is breached, and sometimes the system is breached well before anything abnormal happens. When the time comes to take action, many teams are unable to even diagnose the problem.

A true security incident refers to something that could negatively impact information security objectives like confidentiality, integrity, or availability. When something in the system triggers an alert or looks unusual, security teams need to have a protocol in place to diagnose, act on, and neutralize the issue. An effective incident response plan can be the difference between an easily fixed vulnerability and a catastrophic security breach.

What Makes a Security Response Plan Legit?

Unfortunately, the variable nature of cybersecurity incidents makes preparation difficult. Putting together an incident response plan is like preparing for a tornado — you won’t truly know the extent of the damage until the storm has arrived. You can, however, plan several effective courses of action and gather everything you’ll need to respond

Designing an incident response plan takes time, but it’s far less stressful to plan before an event than during or after one. Some time-strapped businesses might be tempted to download a generic security plan off the internet, but without the time investment on the front end, nobody in the organization really buys in to the plan or studies it in depth. So when an incident occurs and some of the protocols in a generic plan — for example, taking 72 hours between the time of incident and communication of incident — conflict with organizational needs, nobody is really sure what to do.

Europe’s GDPR legislation has a section attempting to provide some standardization for incident response, but those guidelines only provide a starting point for organization-specific plans. CISOs and their teams face too many variable questions to depend on cut-and-paste plans. If the company has been negligent in its obligation to monitor its environment, does it account for that? How do the company’s internal controls identify an incident in the first place? Does the organization possess the necessary tools and people to follow through with a plan? There are a lot of questions, and it’s up to the CISO to find the answers and include those answers in a customized plan.

CISOs Stepping Up

CISOs oversee the entire security operation, so when a crisis does hit, it’s incumbent upon them to lay out a clear direction for each stakeholder on the incident response team. This includes security, legal, and forensic employees (often outside consultants); law enforcement (often the FBI); relevant regulators; insurance companies; the PR department; human resources; and anyone else who might be affected by a breach. Knowing when to involve third parties and when to keep the process in-house should be included in each organization’s incident response plan, which is part of the reason customization usually leads to more effective plans.

Frameworks such as the NIST Cybersecurity Framework can help organize a cybersecurity program through four distinct steps: identify, detect, respond, and recover. By using this framework as a jumping-off point, CISOs can assemble and implement an incident response plan that works for their organization and leaves as little to chance as possible.

Just as important as the plan’s existence is its maintenance. Threats evolve, and regular testing and revising of an incident response plan will keep the team engaged. Identification of new threats is the biggest hurdle, but those new threats require new kinds of responses, too.

No company should be breathing easy without a robust incident response plan. The next cybersecurity threat is always just around the corner, and ill-prepared companies run a huge risk for themselves and their customers.

Founder and President at BARR Advisory

Brad Thies is the founder and president of BARR Advisory, P.A., an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA’s Trust Information Integrity Task Force.